Protecting Your Zimbra Collaboration Environment

Zimbra SSL SNI for HTTPS A Zimbra Collaboration Whitepaper Zimbra SSL SNI Zimbra SSL SNI

Table of Contents Zimbra SSL SNI Reduces SSL Zimbra SSL SNI Reduces SSL Configuration Configuration Complexity Zimbra SSL SNI (Server Name Indication) allows the proxy server to Complexity 3 number, allowing multiple secure (HTTPS) domains to be served on the Getting Started 4 present multiple certificates on the same IPv4 address and TCP port

Prerequisites 4 sameZimbra IP SSL address SNI is without excellent using for Businessthe same Servicemulti-SAN Providers certificate. who host

Browser Support for SNI 4 they can protect their users without being worried about the number of anywhere from five, up to thousands of domains. With Zimbra SSL SNI,

SSL SNI Workflow 5 (already limited) IPv4 addresses per domain. Configuring the IP Address per Domain 5 • Allows Zimbrathe proxy SSL server SNI: to present Verifying and Preparing the Certificates 6

multiple certificates on the same Deploying the Certificate(s) on the Domain 7 • IPv4Allows address multiple & TCP secure port HTTPSnumber domains to be served on the same Proxy Check 8 IP address wihtout using the same

Rewrite and Restart Proxy 8 multi-SAN certificate Testing 8 Server Name Indication (SNI) is an extension to the TLS computer Troubleshooting 8 networking protocol by which a indicates which it is

attempting to connect to at the start of the handshaking process. This anyallows other a server Service to overpresent TLS) multiple to be served certificates off the on same the IPsame address IP address without and TCP port number and hence allows multiple secure (HTTPS) websites (or

desiredrequiring hostname all those issites not toencrypted, use the same so an certificate. eavesdropper It is thecan conceptual see which site equivalent to HTTP/1.1 name-based , but for HTTPS. The

isTo being make requested. SNI useful, as with any protocol, the vast majority of visitors

must use web browsers that implement it. Users whose browsers do not implement SNI are presented with a default certificate and hence are likely to receive certificate warnings. Source:Wikipedia

2 3 Zimbra SSL SNI Zimbra SSL SNI

Getting Started SSL SNI Workflow

Zimbra Collaboration support of SSL SNI requires and uses features of the Below is a diagram of the SSL SNI workflow. proxy service, which is required beginning with Zimbra Collaboration 8.7. Prerequisites • a multi server environment, these steps should be performed on the Zimbra proxy service must be installed and enabled on the server. In

• proxy node. You should have a signed certificate + matching key pair and the trusted chain certs from your CA (). This is a common issue, so please, make sure you check your files before deploying them. Zimbra SSL SNI requires and uses You can bind Multiple SSL Certificates to just one ipv4 address, which will pair 1.1.1.1 to the respective=> example.com domain names. For example: service is required beginning with features of the proxy service. The proxy 1.1.1.1=> otherdomain.com Zimbra Collaboration 8.7 Configuring the IP Address per Domain

You could have another IPv4 address with another group of SSL Follow these steps to configure the IP address per domain: Certificates. 3.3.3.3 => You yetanotherdomain.com can even have different (A types Comodo of SSL Wildcard Certificates: SSL Certificate) 3.3.3.3 => thisisanotherdomain.com (A free Let’s Encrypt SSL 1. Add the new domain, in this case example.com. Certificate) 2. Set zimbraVirtualHostName to mail.example.com and 3.3.3.3 => customer001.net (A RapidSSL Certificate) zimbraVirtualIPAddress to 1.2.3.4. etc. 3. Make sure the zimbraVirtualHostName is set to the name that will be used to access the domain (URL) and the SSL certificate is signed • zmprov for themd sameexample.com name. zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress• 1.2.3.4 Browser Support for SNI For a list of browsers that support SNI, refer to the NOTE: If the server is behind a firewall and NAT’ed with an external Zimbra Multiple SSL address, make sure external requests for “mail.example.com” hit the Certificates, Server Name Indication (SNI) for HTTPS wiki. Note, however, that it is the responsibility of the web browser software to aliased IP address and not the actual local IP address of server. support the application of SNI.

4 5 Zimbra SSL SNI Zimbra SSL SNI

Deploying the Certificate(s) on the Verifying and Preparing Certificates Domain

You should have three files received from the CA (might vary depending on •the CA): 1. Add the domain certificate and chain files to a single file called example.com.bundle • Two chain certs cat example.com.crt example.com_ca.crt >> example.com.bundle The server (domain) certificate

You should also have an existing key file, which was used to generate the csr. 2. Run the following command as the zimbra user to save the certificates /opt/zimbra/libexec/zmdomaincertmgr and key in LDAP: savecrt example.com 1. Save the example.com certificate, key and chain files to a directory example.com.bundle example.com.key /tmp/example.com. You can receive single or multiple chain certs ** Saving domain config key zimbraSSLCertificate...done. from your CA. Here we have two chain certs from the CA: ** Saving domain config key zimbraSSLPrivateKey...done. ls /tmp/example.com example.com.root.crt and example.com.intermediate.crt. example.com.key example.com.crt example.com.root.crt The/opt/zimbra/libexec/zmdomaincertmgr syntax is: savecrt example.com.intermediate.crt

cat 2. Addexample.com.root.crt the chain certs to a singleexample.com.intermediate.crt file called example.com_ca.crt >> 3. Run the following command as the zimbra user to deploy the domain example.com_ca.crt certificate. This will save the certificate and key as /opt/zimbra/conf/ /opt/zimbra/libexec/zmdomaincertmgr domaincerts/example.com: deploycrts ** Deploying cert for example.com...done.

3. Confirm that the key and certificate matches and chain certs /opt/zimbra/bin/zmcertmgr completes the trust. As the verifycrt zimbra user: comm /tmp/example.com/ example.com.key /tmp/example.com/example.com.crt /tmp/example. com/example.com_ca.crt

Check the output; it should say something like what is shown below. If it **does Verifying not, make ‘/tmp/example.com.crt’ sure you have the correct keyagainst and chain ‘/tmp/example.com.key’ cert files. Certificate ‘/tmp/example.com.crt’ and private key ‘/tmp/example. com.key’ match. ** Verifying ‘/tmp/example.com.crt’ against ‘/tmp/example. com_ca.crt’ Valid certificate chain: /tmp/example.com.crt: OK

6 7 Zimbra SSL SNI Zimbra SSL SNI

Proxy Check

Run these commands on the proxy hosts or on the server if it’s a single- server• deployment.

zimbraReverseProxySNIEnabled should be set to TRUE in server and zmprovglobal mcf configzimbraReverseProxySNIEnabled TRUE

Rewrite and Restart Proxy

Restart the proxy to rewrite the changes to proxy config. zmproxyctl restart

Once the restart is successful, try to access the domain using the URL, which is set in “zimbraVirtualHostName” over . Also check the certificate loaded in the browser. In this case, the URL will be https:// example.com Testing You can now go to a web browser and check that for each different zimbraVirtualHostName you see a different SSL certificate and that its details are correct for that virtualhostname. Troubleshooting • If you do not see the correct domain cert by accessing the domain

with its zimbraVirtualHostName (example.com), make sure that the https connection from the internet/intranet is going to the server’s local IP address, which is defined in zimbraVirtualIPAddress. Also make sure you have activated zimbraReverseProxySNIEnabled to • If you are using multiple proxy servers or adding new proxy TRUE.

servers, make sure you copy all the contents of /opt/zimbra/conf/. domaincerts/ to all the proxy servers. Otherwise the proxy service -

Copyright © 2016 Synacor, Inc. All rights reserved. This product is protected by U.S. and inter national copyright and intellectual property laws. ZIMBRA is a trademark of Synacor, Inc. in the 8 United States and/or other jurisdictions. All other marks and names mentioned herein may be 9 trademarks of their respective companies.